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Abstract 

We exhibit a quantum algorithm for determining the zeta function of a genus g curve 
over a finite field Fg, which is polynomial in g and log(g). This amounts to giving an 
algorithm to produce provably random elements of the class group of a curve, plus a 
recipe for recovering a Weil polynomial from enough of its cyclic resultants. The latter 
effectivizes a result of Fried in a restricted setting. 

1 Introduction 

Given a curve C (assumed to be smooth, projective and geometrically irreducible) over a 
finite field Fg with q = p"" for some prime p, the zeta function of C has the form 

oo 



=exp ( ^^#C(F,.)^ - ^^^^ 



,n=l 



n " ' ^ ' (1 -t)(l -gt) 



for some polynomial P{t) G Z[t] of degree 2g with P(0) = 1. The determination of P{t) 
is an active problem in algorithmic number theory, in part because of practical connections 
to cryptography (especially when C is an elliptic curve, or more generally a hyperelliptic 
curve). For g fixed, the approach introduced by Schoof P2] (compute P(t) modulo many 
small primes) gives an algorithm which is polynomial in log(g) but exponential in g, as 
shown by Pila jj21J and Adleman-Huang (A streamlined form of Schoof 's algorithm, 
incorporating improvements due to Atkin, Elkies, et al., turns out to be usable in practice 
for g = 1 and perhaps for g = 2, but for larger g the algorithm is highly impractical.) On 
the other hand, imitating Dwork's proof of the rationality of zeta functions |4| yields an 
algorithm which is polynomial in p, g and logp(g), as observed by Lauder and Wan (THj . 
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(The latter is also not practical, but related "coliomological" techniques have proven more 
tractable; see |3] for the current state of the art.) 

However, a single algorithm for computing P{t) in time polynomial both in g and log(g) 
remains elusive. Thus any sign that this problem might be "easy" has some relevance; the 
main result of this note (originally written as an addendum to [12]) is one such sign, if only 
an indirect one. 

Theorem 1. There is a quantum algorithm for computing the numerator P(t) of the zeta 
function, which is polynomial time in g,log{q). (See Section\B for conventions regarding 
probabilistic algorithms.) 

Implicit in the statement of the theorem is the choice of a mechanism for inputting 
arbitrary curves, such that the length of the input is polynomial in the genus. We will be 
more explicit about the choice we have in mind in Section El however, if the reader prefers 
to substitute a polynomial time equivalent alternate choice, this will of course not affect the 
truth of the theorem. 

The components of the algorithm specified in Theorem 1 will be described in the subse- 
quent sections of the paper. It may be worth pointing out here some components that may 
have some interest on their own: a method for producing generators of the Jacobian group 
of a curve over a finite field with provably high probability fLemmallUj). and a method for 
recovering a Weil polynomial from a few of its cyclic resultants (Section ISJ. 

2 Conventions for probabilistic algorithms 

Before proceeding, it will be helpful to fix some conventions about probabilistic algorithms. 

Given a real number b G (0,1), we define a Las Vegas algorithm to be an algorithm 
that, given a stream of outputs of a "fair coin" (a/k/a a Bernoulli trial with probability 
1/2), accomplishes its specified goal with probability at least 1 — 6 and reports failure with 
probability b. As long as b is fixed, its exact value is not critical, as the success probability 
of a Las Vegas algorithm can be boosted simply by repeated invocation. This analysis is 
standard (and easy), but it will be useful for us to record it explicitly: in terms of the success 
probability a = 1 — 6, in case a < 1/2, then after two invocations, the success probability is 

1 - (1 - a)^ = 2a - = a{2 - a) > 3a/2. 

In particular, one can boost the success probability from a to 1/2 with at most 

2riog3/2(2/a)l ^ 221°S2(2/a)+l ^ A 

invocations, and from there up to any fixed higher value by multiplying the number of 
invocations by a suitable fixed factor. For instance, to get to success probability 3/4, it 
suffices to perform 16/a^ invocations. (By the same token, it is sometimes more convenient 
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to use Bernoulli trials of different probabilities, e.g., to sample uniformly from a finite set; 
one can simulate such trials with a fair coin up to any fixed failure probability.) 

Given a real number b G (1/2, 1), we define a Monte Carlo algorithm to be an algorithm 
that, given a stream of outputs of a fair coin, accomplishes its specified goal with probability 
at least 1 — 6 but may yield any outcome otherwise. Because of the nature of quantum 
mechanics, all quantum algorithms must be regarded as Monte Carlo algorithms. Again, 
one can decrease the error probability b below any fixed cutoff, this time by performing a 
fixed number of invocations and retaining the answer returned most often. This analysis is 
standard, and it will not be useful for us to record it explicitly, so we omit it. 

3 Black box groups 

Our quantum algorithm for computing zeta functions reduces the problem to the determi- 
nation of the order of certain "black box groups" . Before proceeding to the specific groups 
in question (groups of rational points on Jacobian varieties), we first recall a bit of the for- 
malism of black box groups and cite the result about them we will be using. Note that this 
formalism makes sense within any of the standard computing paradigms (e.g., deterministic. 
Las Vegas, Monte Carlo, or quantum). 

A black box group with unique encodings, in the sense of Babai and Szemeredi j2], consists 
of an ra-element subset T of {0, 1}*" for some m and n, and an oracle which has the following 
properties, for some (unknown) subset S C {0, 1}"* containing T, and some (unknown) 
bijective map f : S ^ G from S" to a group G generated by f(T). 

(a) Given x,y E S, the oracle can determine z E S such that f{z) = f{x)f{y) in G. 

(b) Given x E S, the oracle can determine y E S such that f{y) = f{x)^^ in G. 

We may also speak of this data as a "black box presentation of G with unique encodings" ; 
its input length for complexity purposes is taken to be mn. Compare this definition with 
that of a "black box group" without further qualification: in that case / is only required to 
be surjective, and the oracle is required to be able to determine, given x E S, whether f{x) 
is the identity element of G. 

We are now ready to invoke the necessary input from the theory of quantum computing. 

Lemma 2. Given a Monte Carlo black box group presentation with unique encodings f : 
S G of an abelian (or even solvable) group G, of input length mn, there is a quantum 
algorithm, running in time polynomial in mn, for computing the order of G. 

Proof. See Watrous j2Zj , |2H] ; the technique extends Shor's application of Fourier transform 
methods to the factoring and discrete logarithm problems [22] • CH 
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4 Algebraic curves 



Since our intended reader is not necessarily an expert in algebraic geometry, we include here 
a synopsis of some relevant facts. For a fuller treatment, see jZ] or [HI Chapter IV]. 

By a curve over a perfect field k, we will always mean a smooth, projective, geometrically 
irreducible variety C of dimension 1 over k. To each such curve we can associate the field 
K{C) of rational functions on C; this is a field of transcendence degree 1 over k, in which k 
is relatively algebraically closed. In fact, the functor C i— > K{C) is an equivalence between 
curves and such fields. Let k denote the algebraic closure of k, and let C{k) and C{k) denote 
the sets of /c-rational and fc-rational points, respectively, on C. 

A divisor on C is a formal sum 

D= J2 cp(^) (cpGZ), 
Pec(fc) 

invariant under the action of Gal(A;/A;) induced by the Galois action on C{k), in which cp = 
for all but finitely many P. That last condition means that the sum ^pCp is well-defined; 
it is called the degree of D and denoted deg{D). 

We point out three special types of divisors. We refer to the sum over a single Galois orbit 
on C{k), with all coefficients 1, as a prime divisor; the group of divisors is freely generated by 
the prime divisors. For / G K{C)* and P e C{k), let ordp(/) denote the order of vanishing 
(positive, negative, or zero) of / at P. Define the divisor (/) = Xlp o^dp(/)(P); any divisor 
of this form is called a principal divisor. Similarly, for u a nonzero 1-form on C, we may 
define ordp(ci;) as the order of vanishing, and define the divisor (u) = ordp(c(j)(P); any 
divisor of this form is called a canonical divisor. Note that if i5 is a principal divisor, then 
deg{D) = 0, whereas if D is a canonical divisor, then deg{D) = 2g — 2, where g is the genus 
of C (by the Riemann-Roch theorem; see below). We write Di ~ D2 to mean that D1 — D2 is 
a principal divisor; this is clearly an equivalence relation. Note that the ratio of two 1-forms 
is a rational function, so any two canonical divisors are equivalent. 

A divisor D = ^pCp{P) is effective if cp > for all P; we write Di > D2 to mean that 
Di — Z?2 is effective. For D effective, we necessarily have deg{D) > (but not conversely). 
For D a divisor on C, let L[D) be the set of functions / G K{C) such that (/) + -D > 0, 
together with the zero function. The set L{D) is a vector space over fc; let ^{D) be the 
dimension of that space. Note that ^(-D) = whenever deg{D) < 0. The main theorem 
governing i{D) is the Riemann-Roch theorem, whose statement is the following. 

Proposition 3 (Riemann-Roch theorem). For any divisor D on C, 

e{D) = deg{D) + 1- g + e{K - D). 

The class group C1(C) is defined as the group of divisors of degree zero, modulo the 
subgroup of principal divisors; it can be identified with the /c-rational points of a certain 
(yf-dimensional abelian variety J, the so-called Jacobian variety of C. Over a finite field, the 
order of C1(C) is closely related to the zeta function, by the following formula (for which 
see, e.g., [IHl Section 14]). 
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Proposition 4. Suppose k = F^; let Cn denote the base change of C to F^n. Let P{t) 
be the numerator of the zeta function of C . Then deg(P) = 2g, and if we factor P{t) = 
(1 — rit) ■ ■ • (1 — r2gt) with ri, . . . , G C, then 

#ci(c„)=n(i-o- 

j=i 

For this reason, computing the order of C1(C) when k is finite is key to our quantum 
algorithm for computing zeta functions. The order is further controlled by the Riemann 
hypothesis for curves (see f7| Chapter X] for a not-too-technical treatment). 

Proposition 5. With notation as in Proposition^ |rj| = g^/^ for i = 1, . . . , 2g. In particu- 
lar, 

qu _ 2gqn/2 < ^C(¥gn) < + 2gq''/^ 
g"5/2(y^ - 1)"^ < # C1(C„) < g"^/^(v^ + 1)''^. 

We will exploit the Riemann hypothesis via the following lemma. 

Lemma 6. Fore a positive integer, the number of prime divisors of degree e on C is at least 

e 

Proof. It suffices to count elements of C(Fqe), subtract elements of C(Fgi) for all proper 
divisors i of e, and then divide by e. By Proposition El this count can be bounded below by 



i<9,i\9 

If e = 1, there is no sum at right, so we obtain q — 2gq^^'^ as the lower bound, which implies 
the desired bound. If e = 2, the bound is 

1(^2 ^2gq-q- 2gq"^) > ]^{q\l - q'') - Agq). 

Otherwise we may dominate X]j<g i\g ^ ^y X]i=i 't — 'f ^^^ ^.nd we may dominate X]j<g i\g 
by Xlll'i^^ ^ '^g(f^'^- This yields the lower bound 

-{q^ - 2gq^l^ - q^-' - 2gq^'^) = -{q^{l - q-') - Agq^'^). 
e e 

□ 
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5 Representing elements of class groups 



In the notation of the previous section, we collect here some observations about representing 
elements of C1(C). 

We first note that elements can be represented in a compact form. Let U he a divisor 
with deg(f/) = 1. Given a divisor D with deg{D) = 0, we have by Riemann-Roch 

i{D + mil) =m + l- g + i{K - D - mil) >m+l-g; 

in particular, ii m > g, then i{D + mU) > 0, so that D + mil ~ E for some effective 
divisor E. In other words, for any fixed m > g, every element of C1(C) can be represented 
a.s E — mU for some effective divisor E of degree m. 

The representations of elements of C1(C) in the form E — gU , for E effective of degree g, 
are unique "generically" but not always; since we will need to generate random elements of 
C1(C), it will be useful to have representations which are uniformly distributed across C1(C). 
Namely, if deg(D) = and m > 2(7 — 1, we have deg{K ~ D — mil) < 0, so Riemann-Roch 
yields i{D + mil) = m + 1 — g. In particular, if k = Fg, then each element of C1(C) is 
represented by exactly number of divisors of the form E — mil, for E effective of 

degree m. 

Finally, we note that in case there exists a rational point O G C{k), we can represent 
elements of C1(C) in a canonical form. Namely, in this case, if deg{D) = 0, then 

i{D + {m- 1){0)) < i{D + m{0)) 

= m+l-g + i{K~D- m{0)) 
<m+l-g + i{K-D-{m- 1)(0)) 
= i{D + {m-l){0)) + l. 

Hence if m is the smallest nonnegative integer for which i{D + m{0)) > 0, then m < g (as 
above) and £{D + m{0)) = 1. In other words, for this choice of m (which depends on D), 
there is a unique effective divisor E with D + m{0) ~ E. 

6 Computing in class groups 

We now make some remarks about the protocols we have in mind for inputting and computing 
on algebraic curves, starting with what constraints on these protocols are imposed by the 
demands of our algorithm. Note that we will make liberal use of factorization of monovariate 
polynomials over finite fields, so our algorithms will be Las Vegas rather than deterministic. 

Let C be a curve (which as usual is smooth, projective, and geometrically irreducible) 
of genus g over F^; for n a positive integer, let C„ be the base change of C to Fgn. For the 
proof of Theorem 1 we will need an algorithm to compute 7^ C1(C) in time polynomial in g 
and log(g). Using Lemma |2l we see that it is enough to exhibit a Monte Carlo black box 
presentation with unique encodings of # C1(C) , of input length bounded by a polynomial in 
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g and log(g); in fact, our oracular operations will be Las Vegas and not just Monte Carlo. 
Beware that for technical reasons, we will eventually have to restrict to the situation where 
q is "not too small" compared to g\ however, that restriction will not be relevant in this 
section. (It will also be dropped out in the course of proving Theorem 1.) 

We now proceed to describing our input protocol and the construction of the black box 
presentation of #C1(C), except for producing a generating set; we defer that construction 
to the next section. To begin with, we will input C by specifying a homogeneous polynomial 
in three variables over Fg cutting out a possibly singular plane model of C within the projec- 
tive plane P^, i.e., a projective, geometrically irreducible one-dimensional scheme C whose 
normalization is isomorphic to C. Let d be the degree of the polynomial; then by Pliicker's 
adjunction formula, the genus (7 of C is at most [d — l)(c/ — 2)/2. That is, g is bounded by a 
polynomial in d. We will assume also conversely that d is bounded by a polynomial in so 
that polynomiality can be measured in terms of d rather than g. This is no real restriction: 
by Riemann-Roch, any curve of degree g admits a singular plane model of degree g, so can 
be properly input into our algorithm. 

We need to explicitly describe the singularities of C and the sequence of blowups of 
that resolves these singularities. Straightforward algorithms for doing this require passing to 
extensions of whose degree is not polynomial in the input length (e.g., an extension over 
which all singular points become rational). However, there exist methods that perform the 
resolution of singularities in polynomial time, e.g., that of Kozen [14j. Note that the number 
of Fq-rational points of C lying over singular points of C is at most {d — l){d — 2)/2, since 
each one contributes at least one to the discrepancy between the Pliicker bound and g. 

Put m = \2\ogq{d)]. Since there are at most {d — l){d — 2)/2 geometric points of C 
lying above singular points on C, we can draw an F^m-rational line in P^ not meeting any 
of the singular points. Pick such a line, let F be the divisor in which the line meets C, and 
choose an F^-point O of F; then O is defined over F^mn for some n < d. 

The key to constructing a black box presentation of C1(C) is that the Riemann-Roch 
theorem on Cmn can be made (Las Vegas) polynomial time effective; in other words, given 
a divisor D on Cmn-, one can efficiently test functions for membership in L{D), write down 
a basis of L{D), and express elements of L{D) as linear combinations of that basis. See for 
instance Huang and lerardi |T21 §2] for an explicit construction; see also Volcheck [211 
for a somewhat more practical construction. (Note that Huang and lerardi assume that all 
singular points are rational, but they also point out that this restriction is only needed to 
ensure that resolution of singularities can be performed efficiently. Thanks to the argument 
of Kozen from ^3], this restriction can be lifted.) 

Let S be the set of effective divisors E on Cmn with deg{E) < g and i{E) = 1, represented 
as bit strings by listing the F^-points on E (on the blowup of P^ chosen to resolve the 
singularities of C). Then given a divisor D of degree 0, we can describe a reduction procedure 
to produce E & S with D E — deg{E){0) as follows. Apply effective Riemann-Roch to 
produce Eq of degree g with Eq ~ D + g{0). Then repeatedly apply effective Riemann-Roch 
to find divisors Ei, E2, . . . with deg(£'j) = g — i and Ei — {g — i){0) ~ Ei^i — {g — i — 1)(0), 
until it is no longer possible to do so. If this stops at E^, then Ei & S and Ei — {g — i){0) ~ D. 



7 



To add Di, D2 G S", we may apply the reduction procedure to Di + D2 — deg{Di + D2){p) . 
To negate D & S, we may apply the reduction procedure to —D + deg{D){0). Hence we 
have produced a black box presentation with unique encodings f : S ^ Cl(Cmn), modulo 
the problem of exhibiting a generating set. We discuss generating sets in the next section. 

7 Finding generators of class groups 

With notation as in the previous section, let T be the subset of S corresponding to elements 
of C1(C). In order to have a black box presentation with unique encodings f : T C1(C), 
so that we can apply Watrous's algorithm to compute #C1(C), we need to exhibit with 
high probability a subset of T which generates C1(C); to do this provably (without too 
much headache), we will have to assume that q is "not too small" compared to g. It may 
be possible to lift this restriction with an even more elaborate argument than the already 
involved procedure given below. 

We first observe that it suffices to somehow generate uniformly random elements of 
C1(C). 

Lemma 7. Let G be a finite ahelian group of order < 2^ . Then for any nonnegative integer 
i, if one chooses h + i elements of G uniformly at random (with replacement), the probability 
that the chosen elements generate G is at least 1 — 2~\ 

Proof. As stated, this is ^21 Theorem D.l]; the argument therein is due to Pak ^^1; 1201 ■ 
(Roughly, one checks that the probability is minimized by elementary 2-groups, then verifies 
the bound explicitly in that case.) An older but weaker result in the same spirit (which only 
yields the desired probability 1 — 2~* after sampling on the order oi 2h + i elements, rather 
than m + i) is due to Erdos and Renyi Theorem 1]. □ 

By a b-uniform oracle on a finite set V, we will mean an oracle which either fails to return 
an answer with probability at most 1/4, or returns a element of V according to a probability 
distribution p : S ^ [0,1] such that for any x,y E V, p{x) < bp{y). (The constant 1/4 
is chosen merely for definiteness; as in Section |21 there is no harm in replacing 1/4 by any 
other fixed constant between and 1.) 

Lemma 8. Given a positive integer e such that IQg < q^^"^ , let V be the set of prime divisors 
on G of degree e. Then there exists a (1 + {2g — 2 + d)/e)-uniform oracle on V , running in 
time polynomial in g and log(g). 

Proof. Put j = \{2g — 1 -\- e)/d']. Consider an oracle that performs the following operation: 
select a random homogeneous polynomial over of degree j, then extract uniformly at 
random an F^e-rational point of G on which this polynomial vanishes, and return the divisor 
consisting of the Galois orbit of that point. (Here failure occur if there is no such point, if the 
chosen polynomial restricts to zero on G, or if Las Vegas univariate polynomial factorization 
fails.) 



8 



To analyze this oracle, we first note that the homogeneous polynomials of degree j 
give rise to q^'^+^~9 distinct functions on C, by Riemann-Roch (and each occurs the same 
number of times). Also by Riemann-Roch, each prime divisor E of degree e occurs in the 
zero locus of qi'^~^+'^~9 such functions: namely, if F is the divisor along which C meets 
some line, we have l{jF — E) =jd — e + 1 — g + £{K — jF + E) =jd — e + 1 — g since 
deg{K - jF + E) = 2g - 2 - jd + e < 0. 

Note that each nonzero homogeneous poljTiomial of degree j can give rise to at most 
[jd/e\ distinct divisors. This means that on one hand, the ratio between the probabilities 
of producing any two prime divisors of degree e is at most [jd/e\ < 1 + {2g — 2 + d)/e. On 
the other hand, by Lemma IHl and the hypothesis 16g < q^^'^, the probability of success of the 
oracle (assuming success in the polynomial factorization, which can be assured to sufficiently 
high probability by repeated trials) is at least 

1 (gJ-^+i-f-e - l)(g^(l - g-1) - Agq^/'^) 1 g^(l - q-^) - Agq^/^ 
e qjd+i-g 2e q"" 

^ 1 - 8c/g^/2 

~ 4e g^ 
1 

With 1024e^ invocations of this oracle (as in Section 12)), we can boost this probability to 
3/4, yielding the desired result. □ 

Note that one cannot state the previous lemma as written without some lower bound on 
g with respect to g\ otherwise it might happen that V is empty, and one certainly cannot 
construct the desired oracle in that case! This complication is the reason we will be limited 
to the case where g is "not too small" below. 

Next, we give a "simulation" conversion from a 6-uniform oracle into a 1-uniform oracle. 
(The "simulation" qualifier refers to the fact that one must explicitly know the probability 
distribution on the initial oracle, which is too strong an assumption to make in practice.) 

Lemma 9. Suppose we are given a b-uniform oracle on a finite set V with known distribution 
and error probability. Then we can construct a 1-uniform oracle on V requiring at most IQb^ 
invocations of the initial oracle. 

Proof. Let p : V [0, 1] be the probability distribution of the initial oracle, and put 
Po = mmxev{p{x)}] note that 

P'-bW 

since the initial oracle is 6-uniform. Consider the following operation: invoke the initial 
oracle once to produce x, then return x with probability Pq/p{x) and fail otherwise. This 
operation is equally likely to return any element of V, and succeeds with probability Poi^V > 
1/6. Performing the operation 166^ times (as in Section 12)) gives a new oracle with failure 
probability at most 1/4, as desired. □ 
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We now put together the previous lemmas. It should be cautioned that the awkward 
intricacy of the resulting Lemma ^1 is caused by our desire to have a fully unconditional 
complexity analysis; in practice, one is quite likely to obtain a generating set by selecting 
divisors by any reasonably arbitrary process! 

Lemma 10. Under the assumption 16g < q^^'^, there exists a Monte Carlo algorithm that 
produces a subset ofT generating C1(C) in time polynomial in g,log{q). 

Proof. Put h = riog2(g^/2(v/g + 1)^)], so that #C1(C) < 2^ by Proposition El Put = 
[(1 + {2g — 2 + d)/e)]. By repeated use of Lemma |H1 together with LemmaEl we can produce, 
for each of i = 1, . . . ,2g + 1, a list of 32N'^{2g — + 3) prime divisors of degree i, each 
produced by an A^-uniform oracle. Moreover, we can do this with overall probability of 
failure at most 1/16. 

Apply Lemma IHl to produce a divisor U of degree 1, then convert each divisor E in the 
list into an element of T by reducing E — deg{E)U via effective Riemann-Roch. We now 
verify that the resulting elements of C1(C) generate C1(C) with probability at least 3/4 by a 
"simulation" argument; namely, we exhibit the existence of another random process which 
necessarily produces a sublist of our given list, but which also produces a generating set for 
C1(C) with probability at least 3/4. 

In this context, we may assume that we know the distribution of the oracle produced 
by Lemma IHl (In the context of constructing the algorithm, we cannot use this knowledge, 
as it would amount to already knowing the zeta function of C. The point is that we do not 
use the information to perform any algorithmic steps, only to verify the error bound.) By 
LemmajHl we may then extract from the given data a list of {2g — l){h + 3) prime divisors of 
degree i, with failure probability at most 1/16. (The factor of 16A^^ is shed in the application 
of Lemma El shedding the factor of 2{2g — 1) allows us to shrink the failure probability to 
1/16^^"^, so that the combined failure probability after producing all 2g — 1 lists is at most 
1/16.) 

From these new lists, we can in turn simulate the uniform random choice of /i + 3 divisors 
of degree 2g — 1. We do this assuming knowledge of the number of prime divisors of degrees 
1, ... ,2(7 — 1 (again, this amounts to knowing the desired zeta function, but this is okay 
for proving an error bound). With that knowledge, we may choose a "shape" of a degree 
2g — l divisor (i.e., the information of how many prime divisors occur with a given degree and 
multiplicity) according to the distribution which is uniform for individual divisors. (That 
is, each shape has probability proportional to the number of divisors taking that shape.) 
Given a shape, we may then read off from our lists uniformly random prime divisors of the 
appropriate lengths; we cannot use more than 2g — 1 divisors of any one length at a time, 
so we have enough data to do this h + 3 times (with no additional failure probabihty at this 
step). 

Finally, with h + 3 uniformly random divisors of degree 2(yf — 1 in hand, we obtain by 
reduction h + 3 uniformly random elements of C1(C) (by the calculations of Section j^l). By 
Lemma [71 these generate C1(C) with probability at least 1 — 1/8. Since the divisors we 
produced were synthesized from the original list we produced, that list also generates C1(C) 
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with probability at least 1 — 1/8. Totaling the failure and error probabilities yields an error 
probability in the Monte Carlo algorithm of 1/4, as desired. (Note that the only step which 
is Monte Carlo rather than Las Vegas is the last one, since we do not check whether the 
random elements we produced actually do generate C1(C).) □ 

We now may combine all of our efforts so far to obtain the following result. 

Proposition 11. For e such that 16g < g^/^, there exists a quantum algorithm to compute 
# Cl(Ce) in time polynomial in g, log(g), e. 

Proof. The construction of the previous section exhibits a black box presentation with unique 
encodings for Cl(Ce), minus the construction of a set of generators; these are furnished by 
Lemma ^1 Now Lemma El applies to yield the desired algorithm. □ 



8 Computing the zeta function 

Retain notation as in Section IHl By Proposition ^2 we can exhibit a quantum algorithm 
to compute the order of the group # C1(C„) in time polynomial in g,\og{q),n, as long as 
16g < g"/^. With this quantum input in hand, we now establish Theorem 1. 

Proof of Theorem 1. We first proceed under the assumption that IQg < g^/^, so that we may 
apply Proposition ^2 for any e. Note that this assumption only intervenes via the invocation 
of Proposition ^2 if o^i^ were to prove a form of that proposition without the lower bound 
on g, this restriction would drop out of the proof of Theorem 1. 

Recall that by the Weil conjectures (see Proposition Eland also P Appendix C]), we can 
factor P{t) over C as 

(i-nt)---(i-r2,t), 

where each is an algebraic integer of absolute value g^^^, and r^rg^i = q for i = 1, . . . , g. 
Write P(t) = ao + ait + ■ ■ ■ + a2gt'^^ with = 1; then the symmetry riVg+i = q implies that 
Qg+i = q^ag^i for i = 1, . . . , 2g, so to determine P{t) it is enough to determine the integers 

a\ , . . . , ttg . 

As noted earlier (Proposition 0}, we then have 



23 2g 



#ci(c„)=n(i-n")=?'"n(i 



1=1 1=1 

Put 



29 T 2<; 



cn = g-^"#Cl(C„), s„ = g-"-X^rr = -X^rr"; 

then we can write 



n ^ — ' n 

i=l i=l 



log On 



oo 



n . 



7 ^ ^nj- 
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By the Newton-Girard formulae, 



ng"s„ + ai(n - ^s„_i 



+ an-iqsi + nan = {n = 1, . . . , g); 



in particular, it is enough to determine Si, . . . , Sg, as we can then recover ai, . . . , a^. 

Using Proposition ^2 we can compute c„ in suitable time for n = 1, . . . ,m with m = 
max{18, 2g}. We can then compute Si, . . . ,Sg exactly as follows. Suppose n < g and that 
has been computed exactly for i = 1, . . . , n — 1. By the Newton-Girard formulae, the residue 
modulo n of the integer nq'^Sn is determined by Si, . . . , s„_i. Hence we can recover the exact 
value of Sn if we can compute q^Sn to within an error of less than 0.5. 

Let denote the Mobius function, put k= [m/nj, and compute 



log Cn 



i=l 



m 



q Sn ~l~ ^ ^ q (^njSnj 
j=k+l 



to an error of less than 0.005. Here 



= ^^^^ 

l<i<fc,i|j 



is an integer of absolute value at most so 



j>k 



1" E 

j=k+i 
^2gk 



2gkq 



-nj/2 



nj 

q~ 



~ n ^ k+1 

j=k+i 



2gq 



'n(k-l)/2 



< (A; + l 



-n(fc-l)/2 



-n/2 ■ 



This last expression is less than 0.495 if A; > /cq and g" > go for each of 

(A;o, go) e {(2, 50), (3, 14), (4, 7), (5, 5), (6, 4), (8, 3), (15, 2)}. 

Note that 18 > ik^ + 1) log2(go) for each pair (/cq, go) in the above hst. Since m > 18 and 
g > 2, for any pair (/c, n) with k > 2 and k = \m/n\ , we then have k > ko and g" > go for 
some pair {ko, go)- Thus the computed value of g"e„ differs from by less than 0.5, so we 
may determine s„ exactly. We may thus recover the zeta function in this fashion. 

To recap, we have proved that we can recover the zeta function of C provided that 
16g < g^/^; it remains to relax this restriction. Given arbitrary g and g, choose mi,m2 
subject to the following conditions. 
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• nil < ^2- 

• For i = 1, 2, mj is prime and mj — 1 is divisible by some prime greater than 2g. 

• 16g < 

The existence of such mi,m2 of size bounded by a polynomial in g, log(g) is guaranteed, e.g., 
by a theorem of Harman [SI Theorem 1.2], which asserts that for any fixed 6 < 0.610, there 
exist effectively computable constants 6 > and G M such that for x > xo, there are at 
least Sx/ log(a;) primes p G {1, . . . ,x} such that p — 1 has greatest prime factor bigger than 
x^. (Many results of this ilk exist in the analytic number theory literature, but the effective 
computability of the constants seems to be new to [S^.) 

Apply the previous argument to compute the zeta functions of Cmi , C'm2 • We thus have 
the lists . . . , and r^^, . . . , r^^. By the construction of mi and m2, the field extension 
Q(ri, . . . ,r2g) cannot contain a nontrivial mi-st or m2-nd root of unity (else such a root of 
unity would generate a field whose degree contains a prime factor greater than 2g, whereas 
the degree of Q(ri, . . . ,r2g) divides (2^)!). Thus we have (rp)""^ = (r["i)™2 if and only if 
rj = ri. 

If we now pick out an element A of the first list, there is only one value (possibly 
repeated) B occurring in the second list with A^'^ = B"^^ . We can thus unambiguously 
(up to interchanging identical values) pair off each r J^^ with its corresponding r J*^ , and then 
recover the Vj. This completes the proof. □ 

9 Cyclic resultants 

The above argument can also be described as follows. Given a polynomial P{t) with roots 
ri, . . . , Trf, the m-th cyclic resultant of P{t) is defined as 

d 

Res(P(t),r-l) = n(^r-l)- 

i=l 

These arise in a number of applications; see ^U] for further discussion. A theorem of Fried 
[U] asserts that if P(t) has even degree and is reciprocal (i.e., P(t) = f^P^l/t)), then P is 
uniquely determined by its sequence of cyclic resultants. This is precisely the situation in 
which we are in, which is not surprising: Fried arrived at this situation by counting fixed 
points of the powers of an endomorphism of a topological torus in terms of the Lefschetz 
trace formula on cohomology, and we are doing the same with the Frobenius endomorphism 
on an abelian variety. 

Unfortunately, Fried's theorem does not give an effective bound on the number of cyclic 
resultants needed to recover P{t), nor an algorithm for doing so. A conjecture of Sturmfels 
and Zworski asserts that the first d/2 + 1 cyclic resultants should suffice for P generic (if 
P is not reciprocal, they conjecture that generically d + 1 resultants suffice). A theorem of 
Hillar and Levine ^T] states that the first 2"^+^ cyclic resultants determine P; what we have 
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done is show that for very special reciprocal P, we can explicitly recover P from only d cyclic 
resultants. 

Whether one can bring d down any closer to the theoretical lower bound d/2, i.e., whether 
one can compute the zeta function of a curve of genus g using fewer than 2g calls to the 
quantum oracle, is a tantalizing question. Our current approach fails to accomplish this 
because, for instance, we recover Sg from Sg + S2g + ■ ■ ■ , and the term S2g is of exactly the 
same order as the size of the interval in which we must bound Sg in order to determine it 
exactly, namely q~^. Thus breaking the 2g barrier would seem to require a fundamental new 
idea. 

Incidentally, this barrier may be of interest even in the absence of quantum computers, 
as it may be possible to use the proof of Theorem 1 to obtain a probabilistic polynomial 
time algorithm for verifying the zeta function of a curve, which verifies the orders of the first 
few Jacobian groups. Unfortunately, while it is easy to efficiently verify the exponent of a 
black box group, it is less clear how to efficiently verify its order. (Thanks to Dan Bernstein 
for this remark.) 

10 Further comments 

It should be noted that the problem of giving an efficient quantum algorithm to compute 
the zeta function of an arbitrary variety X over a finite field ¥q is now effectively solved 
in dimension < 1. For dim(X) = 0, i.e., for X a finite union of closed points, computing 
the zeta function of X amounts to finding the distinct-degree factorization of a monovariate 
polynomial, so this can even be done in deterministic polynomial time. For dim(X) = 1, if X 
is geometrically irreducible, one can find the unique smooth projective curve C birational to 
X, compute its zeta function, then express the discrepancy between the zeta functions of X 
and C in terms of the zeta functions of zero- dimensional varieties. If X is not geometrically 
irreducible, one can split it over an extension of degree at most its genus and proceed as 
above. 

However, considering varieties of a fixed higher dimension seems to pose more serious 
challenges. (Allowing the dimension to vary brings us dangerously close to the P = NP 
problem, which we prefer to stay well clear of.) Things are well understood, at least theo- 
retically, if the characteristic p of ¥q is fixed; as noted earlier, Lauder and Wan [jl^ give a 
deterministic algorithm for computing the zeta function of a singular hypersurface of degree 
d in P", in time polynomial in p, logp(g), d. (Again, one can reduce to this case by induction 
on dimension, since any irreducible variety is birational to a hypersurface.) 

On the other hand, if p is allowed to vary, then even the following question remains 
somewhat mysterious, except in some cases related to modular forms (as demonstrated by 
ongoing work of Bas Edixhoven and his collaborators on efficient computation of the values 
of Ramanujan's r function). 

Question 12. Let X be a fixed variety over Q (or better, fix a model over 1^) of dimension 
greater than 1. Does there necessarily exist a deterministic, random, or quantum polynomial 
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time algorithm in \og{p) to determine the zeta function of X over ¥p, forp a varying prime? 

For X of dimension 1, Schoof-Pila gives a deterministic affirmative answer. However, the 
approach used there breaks down in higher dimensions; briefly put, there is no "geometric" 
reahzation of the higher etale cohomology groups analogous to the realization of the ffist 
etale cohomology group in the Tate module of the Jacobian. The work of Edixhoven suggests 
such a realization in case the relevant cohomology group is "modular", by comparing the 
higher etale cohomologies to ffist etale cohomologies on other spaces. However, already the 
case when X is a (fixed) surface of general type, without any special structure, seems to 
require a new idea. 

We also point out a related but markedly different investigation initiated by van Dam 
f^^" , who looks for "efficient" quantum circuits for computing the zeta functions of varieties, 
mostly in dimensions greater than 1. The emphasis there is on directly realizing Frobenius 
eigenvalues within easy-to-construct Hermitian operators; this is done in |23] for some diag- 
onal hypersurfaces (where the relevant eigenvalues are Gauss sums) but seems quite difficult 
in general. 
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